Intrusion Detection. One of the publicized threats to security is the intruder, generally referred to as a hacker or cracker.

Similar documents
Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Abstract. Introduction. Section I. What is Denial of Service Attack?

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Introduction of Intrusion Detection Systems

CMS Operational Policy for Firewall Administration

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Denial Of Service. Types of attacks

Network- vs. Host-based Intrusion Detection

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Intruders and viruses. 8: Network Security 8-1

Name. Description. Rationale

Firewalls and Intrusion Detection

Secure Software Programming and Vulnerability Analysis

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Development of a Network Intrusion Detection System

PROFESSIONAL SECURITY SYSTEMS

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

CSCI 4250/6250 Fall 2015 Computer and Networks Security

1. Firewall Configuration

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Denial of Service Attacks

Fifty Critical Alerts for Monitoring Windows Servers Best practices

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Frequent Denial of Service Attacks

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

CMPT 471 Networking II

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Architecture Overview

Security Toolsets for ISP Defense

Computer Networks & Computer Security

NETWORK SECURITY (W/LAB) Course Syllabus

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments

Firewalls, Tunnels, and Network Intrusion Detection

CS5008: Internet Computing

CS 356 Lecture 16 Denial of Service. Spring 2013

TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Network Forensics: Log Analysis

IDS / IPS. James E. Thiel S.W.A.T.

Firewalls Overview and Best Practices. White Paper

Chapter 8 Network Security

Role of Anomaly IDS in Network

Firewalls, IDS and IPS

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

A Layperson s Guide To DoS Attacks

SECURING APACHE : DOS & DDOS ATTACKS - I

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Linux Network Security

co Characterizing and Tracing Packet Floods Using Cisco R

Chapter 8 Security Pt 2

INTRUSION DETECTION SYSTEMS and Network Security

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Implementing Secure Converged Wide Area Networks (ISCW)

Hackers: Detection and Prevention

Chapter 4 Firewall Protection and Content Filtering

Firewall Firewall August, 2003

E-BUSINESS THREATS AND SOLUTIONS

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

How To Understand And Understand Cisco Security Specialist (For A Non-Profit)

Taxonomy of Intrusion Detection System

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

How To Prevent DoS and DDoS Attacks using Cyberoam

How To Protect Your Network From Attack From A Hacker On A University Server

The Trivial Cisco IP Phones Compromise

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Safeguards Against Denial of Service Attacks for IP Phones

Firewall Design Principles Firewall Characteristics Types of Firewalls

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

The Truth about False Positives

Fuzzy Network Profiling for Intrusion Detection

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

General Network Security

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

10 Configuring Packet Filtering and Routing Rules

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Intrusion Detection Systems (IDS)

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Chapter 9 Firewalls and Intrusion Prevention Systems

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

Network Defense Tools

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

This sequence diagram was generated with EventStudio System Designer (

Payment Card Industry (PCI) Executive Report 08/04/2014

Transcription:

Intrusion Detection One of the publicized threats to security is the intruder, generally referred to as a hacker or cracker. 1

An analysis of intrusion attacks revealed that there were two levels of hackers. The high level were sophisticated users with a thorough knowledge of the technology. The low level were people who merely used the supplied cracking programs with little understanding of how they worked. 2

To prevent system from intrusion attacks, there are basically two things needed. 1. Make access controls for the system and the data. 2. Detect intruders quickly. 3

Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified. A fundamental tool for intrusion detection is the audit record. Some record of ongoing activity by users must be maintained as input to an intrusion detection system. 4

Basically, two audit records are used: 1. Native audit records: Virtually all multiuser operating systems include software that collects information on user activity. 2. Detection-specific audit records: A collection facilities can be implemented that generates audit records containing only the information required by the intrusion detection system. 5

Main approaches to intrusion detection. 1. Statistical anomaly detection: Involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. 2. Rule-based detection: Involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder. 3. Signature-based detection: Performs simple pattern-matching and report situations that match a pattern corresponding to a known attack type. 6

Statistical Anomaly Detection Statistical anomaly detection techniques fall into two categories: threshold detection and profile-based systems. Threshold detection involves counting the number of occurrences of a specific event type over an interval time. If the count surpasses what is considered a reasonable number that one might expect to occur, then the intrusion is assumed. The threshold detection is not efficient. 7

Profile-based anomaly detection focuses on characterizing the past behavior of individual users or related groups of users and then detecting significant deviations. A profile may consist of a set of parameters, so that deviation on just a single parameter may not be sufficient in itself to signal an alert. The foundation of this approach is an analysis of audit records. To do that, the designer decides on a number of quantitative metrics that can be used to measure user behavior. Then current audit records are input to detect intrusion 8

Examples of metrics for profile-based intrusion detection: Counter: times of logins, command executed during a single user session, number of password failures, etc. Gauge: the number of logical connections assigned to a user application, the number of outgoing messages queued for a user process, etc. Interval timer: the length of time between successive logins to an account, etc. Resource utilization: number of pages printed during a user session, total time consumed by a program execution, etc. 9

Using the metrics, various tests can be performed to determine whether current activities fit within acceptable limits. Mean and standard deviation. Multivariate Markov process Time series Operational 10

Rule-Based Intrusion Detection Rule-based techniques detect intrusion by observing events in the system and applying a set of rules that lead to a decision regarding whether a given pattern of activity is suspicious. 11

Rule-based anomaly detection: historical audit records are analyzed to identify usage patterns and to generate automatically rules that describe those patterns. Similar to statistical anomaly detection, this method does not require knowledge of security vulnerabilities within the system. A rather large database of rules will be needed. Rule-based penetration identification: use rules for identifying known penetrations or penetrations that would exploit known weaknesses. Rules can also be defined that identify suspicious behaviors. 12

Examples: Users should not read files in other users personal directories. Users must not write other users files. Users who log in after hours often access the same files they used earlier. Users should not be logged in more than once to the same system. Users do not make copies of system programs. 13

Signature-Based Intrusion Detection Signature-Based intrusion detection cannot detect a new attack for which a signature is not yet installed in the database. Signature-based intrusion detections tend to use statistical analysis. 14

SYN denial of service attacks When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages. This connection technique applies to all TCP connections telnet, Web, email, etc. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. 15

Here is a view of this message flow: Client SYN ACK Server SYN-ACK The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. This is what we mean by half-open connection. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections. 16

Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the final ACK message will never be sent to the victim server system. The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections. 17

In most cases, the victim of such an attack will have difficulty in accepting any new incoming network connection. In these cases, the attack does not affect existing incoming connections nor the ability to originate outgoing network connections. However, in some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative. 18

A simple signature for the above attack might describe a series of TCP SYN packets sent to many different ports in succession and at times close to one another, as would be the case for a port scan. Similarly, some implementations of the protocol stack fail if they receive an ICMP packet with a data length 65535 bytes, so such a packet would be a pattern for which to watch. 19

Implementations of IDS An intrusion detection system (IDS) is implemented by combination of hardware and softwares. Usually, an IDS is a device, e.g. a separate computer, that monitors activity to identify malicious or suspicious events. An IDS is a network device or a program running on a network device (especially, a host-based IDS) 20

Most IDSs run in stealth mode, where an IDS has two network interfaces: one for the network (or network segment) being monitored and the other one to generate alerts and perhaps other administrative needs. The IDS uses the monitored interface as input only. It never sends packets out through that interface. So it is the perfect passive wiretap. 21

Cisco s IDS is composed of two primary components: IDS sensor: Standalone IDS 4200 series sensors, Catalyst 6000 IDSM sensor, Router and PIX Firewall sensors. Management console: UNIX director, CSMP (Cisco secure policy manager). 22

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information